VPN w/ PIX 501 1

[cyberfreek]

I have a PIX 501 that is configured for VPN access.
I can estalish a successful connection and receive the local IP address (i.e. 192.168.x.x), but I can not ping nor access any systems on the LAN. I noticed that the subnet mask assigned, is 255.255.255.255 and the local SM is 255.255.255.0.

Any suggestions?

 

[TheStressFactor]

post your config so we can better analyze the problem

 

[cyberfreek]

OOPS!

Here you go.

PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname TMHome
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 67.120.194.17 eq telnet
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.160.0 255.255.255.0
pager lines 24
logging on
logging buffered errors
logging trap notifications
logging history notifications
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 67.120.194.17 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.1.2-192.168.1.5
pdm location 192.168.1.32 255.255.255.255 inside
pdm location 64.81.61.0 255.255.255.0 outside
pdm location 67.117.67.224 255.255.255.252 outside
pdm location 67.117.67.0 255.255.255.252 outside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 64.81.61.196 255.255.255.255 outside
pdm location 64.81.61.197 255.255.255.255 outside
pdm location 67.117.67.226 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 67.120.194.18-67.120.194.21
global (outside) 1 interface
global (outside) 1 67.120.194.254
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 67.120.194.22 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 64.81.61.196 255.255.255.255 outside
http 64.81.61.197 255.255.255.255 outside
http 67.117.67.226 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set tm3 esp-3des esp-md5-hmac
crypto map xxx ipsec-isakmp
crypto map xxx match address 101
crypto map xxx set peer 67.117.67.226
crypto map xxx set transform-set tm3
crypto map xxx interface outside
isakmp enable outside
isakmp key ******** address 67.117.67.226 netmask 255.255.255.252
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet 64.81.61.196 255.255.255.255 outside
telnet 64.81.61.197 255.255.255.255 outside
telnet 67.117.67.226 255.255.255.255 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username xxxxx password xxxxx
vpdn enable outside
dhcpd address 192.168.1.30-192.168.1.61 inside
dhcpd dns 206.13.28.12 206.13.31.12
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:a35f0033828532bc5585132a3e5afb26

 

[DaleB]

I am having the exact same problem. A new PIX 501 with VPN connection to PIX 515. Tunnel is established, users can log in to server across VPN, get mapped drives but can not ping across tunnel. I can turn on debug icmp trace on both firewalls and see echo-requests and echo-reply go between both but echo-reply dies behind new 501. I can ping -t computer behind 501 and see NIC activity light go crazy but echo-reply does not make it back through the tunnel.
This was the original config. I have since seperated the NAT 0 access-list and the ipsec access-list.

config:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ryOx6zCu9.BaM46B encrypted
passwd y3SDxVxaG66BYLpC encrypted
hostname RacineWI
domain-name Coldironcompanies.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 1.1.1.1 DSL
access-list 80 permit ip 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 80 permit ip 192.168.9.0 255.255.255.0 192.168.102.0 255.255.255.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any outside
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.205.133 255.255.255.248
ip address inside 192.168.9.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-pool 192.168.10.101-192.168.10.110
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 68.21.205.134 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.9.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community CIWI
no snmp-server enable traps
floodguard enable
no sysopt route dnat
crypto ipsec transform-set vpnset1 esp-3des esp-md5-hmac
crypto dynamic-map vpnusers 15 set transform-set vpnset1
crypto map map1 10 ipsec-isakmp
crypto map map1 10 match address 80
crypto map map1 10 set peer xxx.xxx.189.162
crypto map map1 10 set transform-set vpnset1
crypto map map1 20 ipsec-isakmp dynamic vpnusers
crypto map map1 client configuration address initiate
crypto map map1 client configuration address respond
crypto map map1 interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.189.162 netmask 255.255.255.255
isakmp identity address
isakmp client configuration address-pool local vpn-pool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.10.0 255.255.255.0 outside
telnet 192.168.100.0 255.255.255.0 outside
telnet 192.168.9.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:56de2b4e251da454100a30f958a0e9ac
: end

 

[br0ck]

DaleB,

Add this
>access-list 80 permit icmp any any
>access-group in interface outside

this will allow ping in all directions

Brock D. Mowry
Hardware Specialist

http://www.iNECTA.com

 

[iiiiss]

Hi !

Sorry but I don´t agree with br0ck because this would not be very sercure !
With "sysopt connection permit-ipsec" every VPN traffic should be independent from any acess-lists..
It would work wiht the access-list entries but when you look at your vpn client you would see that the traffic is not encrypted and that is surely not your wish or ?

I had the same problem using a pix 515E.
I used PIXcript from yizhar to configure the VPN connection.

I hope that will help you.

 

[sunyasee]

Hi Cyberfreek,

Your pptp pool overlaps with your inside address range...

ip address inside 192.168.1.1 255.255.255.0

ip local pool pptp-pool 192.168.1.2-192.168.1.5

It is recommended you use a different range for your remote users i.e 10.0.0.1-10.0.0.5

----

Sunyasee B-)

 

[br0ck]

iiiss,
Thanks for that input i see that now. Brock D. Mowry
Hardware Specialist

http://www.iNECTA.com

 

[DaleB]

iiiiss,

Thanks, I missed line, "sysopt connection permit-ipsec". I hope my hair grows back soon.

I have done several PIX to PIX VPN connections and most go smoothly. This one did not.

Thanks again.

DaleB

 

[berford]

Yeah. The problem here is that without the sysopt command the PIX enforces it's security policy on the VPN tunnel as well as outside -> in traffic. Actually Brock was right (but I agree that is an extreme measure to solve this problem.).

 

[cyberfreek]

Sunyasee,

Thank you for the tip. It worked.
That makes sense.

Cyberfreek

 

[cyberfreek]

Thanks guys.

I have another question.

How can I browse for data using the computer name instead of just the ip address?

 

[cfwdude]

late response to this, but if you have an internal dns server, use
dhcpd dns 192.168.x.x
of that server to issue the dns to the clients. Then the client should be able to resolve computer names.